The EU General Data Protection Regulation (GDPR) is fast-approaching with less than a year remaining for data controllers and processors to comply. For those who don’t, non-compliance could result in legal action or large fines - up to 4 per cent of an organisation’s global turnover or €20 Million). With the deadline looming, companies around the globe who interact in any way with privacy data about citizens in the EU will need to reinforce their compliance posture by requiring their vendors, including SaaS providers, to prove upstream compliance. From what it entails, how to prepare and what to expect once it arrives, GDPR impact on business is proving to be one of the most talked about global regulations to-date, related to data governance and data privacy.
And yet, according to a recent survey, less than one-quarter of firms affected by GDPR are in advance planning for it, while 24 per cent of organisations say they will not be ready by the May 2018 deadline. Size also factors heavily, with 43 per cent of organisations with $1 billion or more in revenues able to readily identify where personal data of EU citizens is being processed, compared to 26.8 per cent of organisations with less than $100 million in sales
For those remaining, the one-year deadline serves as a ticking clock to what could almost certainly be an expensive scramble. While somewhat high-level in its requirements, the GDPR does have several explicit areas that will require SaaS providers to pay close attention and determine how they will respond to contractual agreements and incidents, including:
1. The right to be forgotten
The right to be forgotten is a EU provision where subjects have the right to obtain erasure of personal data without delay when certain grounds apply. Complying with this requirement is likely to be one of the most challenging, as it could require a controller/processor to significantly change or redesign their solution. Even with less than one year before the regulation takes effect, it’s still not completely clear what will be required to comply with “being forgotten.” This should be a primary conversation with consumers of SaaS products to determine what makes sense for the application’s functionality and purpose, as well as legal compliance.
2. Privacy by design
This requirement goes hand-in-hand with data erasure in that it will be the end-result implementation of the consensus on what it means to “be forgotten.” Ultimately, creating a product/service that is developed with the regulation in mind is key; however, this is another requirement that, while stated in broad terms seems easy to understand and comply with, but definitely needs more discussion among all stakeholders.
3. Data protection officer (DPO)
A DPO may not be required for all SaaS providers, but it is incumbent on the service provider to do their due diligence in understanding when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale (e.g. behavioural marketing based on personal data) or special categories of data” (e.g. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), both of which would require the oversight of a DPO. Further, the provider needs to understand where they fall under the “public authority or body” definition. In the “Guidelines on Data Protection Officers (DPO[Office1] )” under the Working Party 29 body, there is some guidance on what a public authority or body could mean:
“A public task may be carried out, and public authority may be exercised not only by public authorities or bodies but also by other natural or legal persons governed by public or private law, in sectors such as, according to national regulation of each Member State, public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.”
By determining the need for a DPO now, organisations can save time, headaches and money down the road.
Important next steps
SaaS providers should now begin evaluating their data collection practices against the regulation itself, while at the same time working with their partners and customers to determine what policies, procedures and legal requirements should be implemented to remain compliant.
Most SaaS providers are still working on solutions and discussing requirements with their customers and partners. Key to these discussions is an understanding and agreement on how other controllers and processors in the data subject information chain handle their responsibilities and perform internal GDPR impact assessments.
Here’s how three of the world’s biggest SaaS providers are preparing for GDPR compliance:
- Microsoft: “We are working to bring our products and services into compliance with the GDPR by May 2018. We are updating the features and functionality in all of our services to meet the GDPR requirements, and we are updating our documentation and our customer agreements to reflect the GDPR requirements.”
- Google - Google recently stated at its Google Cloud Next conference that compliance to GDPR is a “shared responsibility” and that they will have “full support for that by May 2018, according to SVP Diane Greene. Google is continually updating their Compliance, Privacy, and Security guidelines.
- Salesforce - Salesforce has not yet posted an official statement or directive in regard to GDPR, but we expect them to do so in the near future. The Salesforce community is actively talking about it and how they can establish their own policies and procedures within Salesforce to prepare.
It’s up to SaaS providers to work together to better understand how their partners are preparing for GDPR, for instance, to clarify what Google suggests is the "shared responsibility" of compliance to the directive. As we move through 2017, organisations should build more definitive resolutions about how compliance will be met and communicate plans and policies to all partners and users.
The bottom line is, don’t wait to get started. For organisations that rely on SaaS providers, proactively ensure that they are meeting the guidelines and regulations required under GDPR. For SaaS providers who have yet to implement an action plan, the clock is ticking.
Brian Rutledge, security and compliance engineer, Spanning
Image Credit: Flickr / janneke staaks